EP2874367A1 - Call authentication method, device, and system - Google Patents
Call authentication method, device, and system Download PDFInfo
- Publication number
- EP2874367A1 EP2874367A1 EP20130803875 EP13803875A EP2874367A1 EP 2874367 A1 EP2874367 A1 EP 2874367A1 EP 20130803875 EP20130803875 EP 20130803875 EP 13803875 A EP13803875 A EP 13803875A EP 2874367 A1 EP2874367 A1 EP 2874367A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- authentication data
- user terminal
- mme
- emergency call
- hss
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000012795 verification Methods 0.000 claims abstract description 63
- 238000004891 communication Methods 0.000 claims abstract description 47
- 238000004364 calculation method Methods 0.000 claims description 44
- 230000004044 response Effects 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 6
- 238000010295 mobile communication Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- CSRZQMIRAZTJOY-UHFFFAOYSA-N trimethylsilyl iodide Substances C[Si](C)(C)I CSRZQMIRAZTJOY-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/90—Services for handling of emergency or hazardous situations, e.g. earthquake and tsunami warning systems [ETWS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/71—Hardware identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/50—Connection management for emergency connections
Definitions
- the present invention relates to the field of wireless communication, and particularly, to a call authentication method, device and system.
- An emergency call is a peculiar voice service in the mobile communication system, in which a mobile subscriber is allowed to call emergency call centers such as 120 center and 119 fire alarm and so on provided by operators through a mobile communication network covering its location in a case that a mobile terminal is in limited calling or a Subscriber Identity Module (SIM) card is not inserted, wherein, the case that the mobile terminal is in limited calling or the SIM card is not inserted is called an emergency attachment case.
- SIM Subscriber Identity Module
- the mobile terminal initiates an emergency call to the network side in the case of emergency attachment, and the network side can generally neglect an International Mobile Subscriber Identity (IMSI) of the mobile terminal and allows the mobile terminal to access a core network.
- IMSI International Mobile Subscriber Identity
- the mobile terminal is required to send its International Mobile Equipment Identity (IMEI) of the mobile terminal to the network side; and when receiving the IMEI of the mobile terminal, the network side takes the IMEI as identity information for the mobile terminal emergently accessing the core network.
- IMEI International Mobile Equipment Identity
- FIG. 1 is a flow chart of a subscriber initiating an emergency call through the mobile communication network by using the mobile terminal, and the following steps are included.
- a Radio Resource Control (RRC) connection is established between a mobile terminal (i.e., a User Equipment (UE)) and a base station at the location where the UE is located (i.e., an Evolved Node B (eNodeB)).
- RRC Radio Resource Control
- step 2 the UE sends a request message to the eNodeB, the request message contains a call type and an access network identity, wherein, the call type is an emergency call type.
- the access network identity can be a Globally Unique Temporary Identity (GUTI) or a Packet Temporary Mobile Subscriber Identity (P-TMSI) saved by the UE, or an IMSI of the UE, or an IMEI of the UE.
- GUI Globally Unique Temporary Identity
- P-TMSI Packet Temporary Mobile Subscriber Identity
- step 3 the eNodeB selects a Mobile Management Entity (MME) for the UE, and forwards the received request message to the MME.
- MME Mobile Management Entity
- step 4 the MME judges whether the MME itself has an ability of responding to the emergency call, when determining that it has the ability of responding to the emergency call, judges the access network identity of the UE carried in the received request message, executes step 5; and when determining that it does not have the ability of responding to the emergency call, returns a rejection response message.
- step 5 when determining that the access network identity carried in the request message is the GUTI or P-TMSI, the MME requests the UE to report the IMSI, and when receiving the IMSI reported by the UE, responds to the request message, and allows accessing the network.
- step 6 when determining that the access network identity carried in the request message is the IMEI, the MME sends the received IMEI to an Equipment Identity Register (EIR) to be authenticated, and when the authentication is passed, responds to the request message, and allows accessing the network.
- EIR Equipment Identity Register
- the MME when the MME responds to the emergency call request of the terminal, after determining that the access network identity reported by the UE is the IMEI, the MME only determines whether the IMEI is blacklisted, and when determining that the IMEI is not blacklisted, allows the UE to access the core network.
- the embodiments of the present invention provide a call authentication method, device and system, which solve a problem that, when a user terminal sends an emergency call request to a network side in a case of emergency attachment, since the network side does not perform security authentication on the user terminal that initiates the call, worse security of the emergency call is caused in the related art.
- the embodiment of the present invention provides a call authentication method, which comprises:
- the method further comprises: after allowing the user terminal to access the communication network, the MME receiving an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and the MME sending the received emergency call message to the HSS to be parsed, and returning a response message to the user terminal according to a parse result.
- the method further comprises: after the MME receives the emergency call request message and before the MME sends the query request to the HSS, according to a corresponding relation between the access network identity of the user terminal and a number of emergency call requests, the MME searching for a number of times for the user terminal sending the emergency call request to the MME within a set duration; and the MME judging whether a searched number of emergency call requests is greater than a set threshold value, if yes, rejecting to respond to the emergency call request of the user terminal; and if not, executing an operation of sending the query request to the HSS.
- the step of the MME receiving the second authentication data sent by the user terminal comprises:
- the step of the MME comparing the first authentication data and the second authentication data comprises:
- the embodiment of the present invention further provides a call authentication method, which comprises:
- the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal
- IMEI International Mobile Equipment Identity
- the locally stored corresponding relation between the access network identity and the device key comprises:
- the embodiment of the present invention further provides a call authentication device, which comprises:
- the device further comprises:
- the emergency call request message carries the access network identity of the user terminal; the device further comprises: a call-times determination module and a call judgment module, wherein:
- the comparison module is configured to compare the first authentication data and the second authentication data in the following way:
- the embodiment of the present invention further provides a Home Subscriber Server (HSS), which comprises:
- the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal; the first authentication data calculation module is further configured to: store a corresponding relation between the IMEI of the user terminal and the device key.
- IMEI International Mobile Equipment Identity
- the embodiment of the present invention further provides a call authentication system, which comprises: a Mobile Management Entity (MME), a user terminal and a Home Subscriber Server (HSS); wherein, the MME is configured to: receive an emergency call request message sent by the user terminal, and send a query request containing an access network identity carried in the emergency call request message to the HSS; receive a query result carrying verification information and first authentication data returned by the HSS, and second authentication data sent by the user terminal; compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network; after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with a security key; and send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result; the user terminal is
- the user terminal is further configured to: when the user terminal receives the verification information sent by the MME, perform calculation on the received verification information with the locally stored security key to obtain the second authentication data.
- the corresponding relation between the IMEI of the user terminal and the device key is locally stored in the user terminal and the HSS respectively, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
- the embodiments of the present invention disclose a call authentication method, device and system, by locally storing the corresponding relation between the IMEI of the user terminal and the device key in the user terminal and the HSS respectively, when the user terminal sends the emergency call request message to the MME, the MME acquires the security key containing the device key, and the first authentication data obtained by performing calculation with the security key and the random verification information from the HSS, and receives the second authentication data obtained through calculation according to the locally stored security key and the received verification information sent by the user terminal, and compares the first authentication data and the second authentication data, when the comparison result is that the first authentication data and the second authentication data are identical, determines that the authentication is passed, and allows the user terminal to access the communication network, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
- a symmetrical device key is set in the network side and the user terminal, which is used for the network side performing authentication on the user terminal.
- the device key is associated with the IMEI of the user terminal, the network side stores a corresponding relation between the IMEI of the user terminal and the device key, and the device key in the HSS, the network side can only acquire a calculation result obtained by performing calculation with the device key through a query and cannot directly acquire the device key;
- a legal user terminal stores its own device key in a security component, and it also can only acquire a calculation result obtained by performing calculation with the device key through a query and cannot directly acquire the device key, wherein, it is a one-to-one correspondence relation between the device key and the IMEI, and each device key corresponds to only one IMEI.
- the security key involved in all the embodiments of the present invention is obtained by performing calculation with the stored device key, parameter information and access network identity information of the user terminal according to a set calculation method, both the network side and the user terminal have a function of encryption and decryption, which guarantees the security in a signaling transmission process and makes the utilized air interface resources be protected.
- FIG. 2 it is a flow chart of a call authentication method according to the embodiment 1 of the present invention, and the method includes the following steps.
- an MME receives an emergency call request message carrying an access network identity sent by a user terminal, and carries the access network identity into a query request to send to an HSS.
- the access network identity is an IMEI of the user terminal.
- the user terminal when the user terminal is in limited calling or an SIM card/a Universal Subscriber Identity Module (USIM) card is not inserted, and an emergency call request is required to be initiated, the user terminal takes its own IMEI as the access network identity and carries the access network identity into the emergency call request message to send to the MME.
- IMEI the access network identity
- the MME when receiving the emergency call request message sent by the user, the MME indicates the user terminal to report the access network identity, so as to identify the user terminal.
- the user terminal When the access network identity reported by the user terminal and received by the MME is a GUIT or a P_TMSI, the user terminal is indicated to report an IMSI of the user terminal; and when the access network identity reported by the user terminal and received by the MME is the IMSI, the user terminal is indicated to report the IMEI of the user terminal.
- the method also includes:
- step 102 the MME receives a query result carrying verification information and first authentication data returned by the HSS.
- the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information, wherein, the security key contains a device key, the device key is determined by the HSS according to a locally stored corresponding relation between the access network identity and the device key.
- the MME contains the access network identity carried in the received emergency call request message into the query request to send to the HSS.
- step 1 according to the locally stored corresponding relation between the access network identity and the device key, a device key corresponding to the access network identity contained in the query request is determined.
- step 2 a security key containing the device key and the randomly generated verification information are used for calculating to obtain the first authentication data.
- the way of calculation can be to use a set algorithm, and it also can be to calculate according to a protocol rule in the 3rd Generation Partnership Project (3GPP) protocol, which is not limited here.
- 3GPP 3rd Generation Partnership Project
- step 3 the randomly generated verification information and the obtained first authentication data are taken as a query result to be sent to the MME.
- the verification information can be verification information in a 3GPP format, such as RAND; the first authentication data are device-challenge; the query result is RAND
- step 103 the MME receives second authentication data sent by the user terminal.
- the second authentication data are obtained by the user terminal performing calculation with the locally stored security key and the verification information after receiving the verification information sent by the MME.
- the MME receives the query result returned by the HSS, the query result contains random verification information, and the MME sends the random verification information to the user terminal.
- step 1 a device key corresponding to the IMEI of the user terminal itself is determined.
- step 2 it is to perform calculation on the received verification information with the security key containing the determined device key to obtain the second authentication data.
- step 3 the obtained second authentication data are sent to the MME.
- step 104 the MME compares the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determines that an authentication is passed, and allows the user terminal to access a communication network.
- the MME judges whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executes an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executes an operation of determining that the authentication is not passed and rejecting accessing the network.
- step 105 after allowing the user terminal to access the communication network, the MME receives an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key.
- step 106 the MME sends the received emergency call message to the HSS to be parsed, and returns a response message to the user terminal according to a parse result.
- the MME Since the HSS stores the device key, and the security key is determined by the device key, the MME is required to perform decryption operation on the received encrypted emergency call message through the HSS when receiving the encrypted emergency call message.
- the MME by locally storing the corresponding relation between the IMEI of the user terminal and the device key in the user terminal and the HSS respectively, when the user terminal sends the emergency call request message to the MME, the MME acquires the security key containing the device key from the HSS, and acquires the first authentication data obtained by performing calculation with the security key and the random verification information, and receives the second authentication data obtained through calculation according to the locally stored security key and the received verification information sent by the user terminal, and compares the first authentication data and the second authentication data, when the comparison result is that the first authentication data and the second authentication data are identical, determines that the authentication is passed, and allows the user terminal to access the communication network, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
- FIG. 3 it is a schematic diagram of a structure of a call authentication device according to the embodiment 2, the device includes: a first receiving module 11, a second receiving module 12, a third receiving module 13 and a comparison module 14, wherein:
- the device also includes: a fourth receiving module 15 and a message processing module 16, wherein:
- the emergency call request message carries the access network identity of the user terminal.
- the device also includes: a call-times determination module 17 and a call judgment module 18, wherein:
- the comparison module 14 is configured to compare the first authentication data and the second authentication data in the following way: judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
- the HSS includes: a receiving module 21, a first authentication data calculation module 22 and a sending module 23, wherein:
- the access network identity is an IMEI of the user terminal; the first authentication data calculation module 22 is further configured to: store a corresponding relation between the IMEI of the user terminal and the device key.
- FIG. 5 it is a structure diagram of a call authentication system according to the embodiment 4, the system includes: an MME 31, a user terminal 32 and an HSS 33, wherein:
- the user terminal 32 is further configured to: when the user terminal 32 receives the verification information sent by the MME 31, perform calculation on the received verification information with the locally stored security key to obtain the second authentication data.
- the corresponding relation between the IMEI of the user terminal and the device key is locally stored in the user terminal and the HSS respectively, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Health & Medical Sciences (AREA)
- Emergency Management (AREA)
- Environmental & Geological Engineering (AREA)
- Public Health (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
- The present invention relates to the field of wireless communication, and particularly, to a call authentication method, device and system.
- An emergency call is a peculiar voice service in the mobile communication system, in which a mobile subscriber is allowed to call emergency call centers such as 120 center and 119 fire alarm and so on provided by operators through a mobile communication network covering its location in a case that a mobile terminal is in limited calling or a Subscriber Identity Module (SIM) card is not inserted, wherein, the case that the mobile terminal is in limited calling or the SIM card is not inserted is called an emergency attachment case.
- In the related art, the mobile terminal initiates an emergency call to the network side in the case of emergency attachment, and the network side can generally neglect an International Mobile Subscriber Identity (IMSI) of the mobile terminal and allows the mobile terminal to access a core network. At this point, the mobile terminal is required to send its International Mobile Equipment Identity (IMEI) of the mobile terminal to the network side; and when receiving the IMEI of the mobile terminal, the network side takes the IMEI as identity information for the mobile terminal emergently accessing the core network. As shown in
FIG. 1, FIG. 1 is a flow chart of a subscriber initiating an emergency call through the mobile communication network by using the mobile terminal, and the following steps are included. - In
step 1, a Radio Resource Control (RRC) connection is established between a mobile terminal (i.e., a User Equipment (UE)) and a base station at the location where the UE is located (i.e., an Evolved Node B (eNodeB)). - In
step 2, the UE sends a request message to the eNodeB, the request message contains a call type and an access network identity, wherein, the call type is an emergency call type. - The access network identity can be a Globally Unique Temporary Identity (GUTI) or a Packet Temporary Mobile Subscriber Identity (P-TMSI) saved by the UE, or an IMSI of the UE, or an IMEI of the UE.
- In
step 3, the eNodeB selects a Mobile Management Entity (MME) for the UE, and forwards the received request message to the MME. - In
step 4, the MME judges whether the MME itself has an ability of responding to the emergency call, when determining that it has the ability of responding to the emergency call, judges the access network identity of the UE carried in the received request message, executes step 5; and when determining that it does not have the ability of responding to the emergency call, returns a rejection response message. - In step 5, when determining that the access network identity carried in the request message is the GUTI or P-TMSI, the MME requests the UE to report the IMSI, and when receiving the IMSI reported by the UE, responds to the request message, and allows accessing the network.
- In step 6, when determining that the access network identity carried in the request message is the IMEI, the MME sends the received IMEI to an Equipment Identity Register (EIR) to be authenticated, and when the authentication is passed, responds to the request message, and allows accessing the network.
- In the communication system, when the MME responds to the emergency call request of the terminal, after determining that the access network identity reported by the UE is the IMEI, the MME only determines whether the IMEI is blacklisted, and when determining that the IMEI is not blacklisted, allows the UE to access the core network.
- Therefore, it will not only cause that a lawbreaker accesses the core network in such a way of emergency call and attacks the core network maliciously to increase insecurity factors of the communication network, but also cause that air interface resources occupied in the communication are not in safety protection since no secure communication link is established between the UE and the network side in the emergency call, which makes certain information in the emergency call be stolen or tampered, and makes the security of the emergency call worse.
- The embodiments of the present invention provide a call authentication method, device and system, which solve a problem that, when a user terminal sends an emergency call request to a network side in a case of emergency attachment, since the network side does not perform security authentication on the user terminal that initiates the call, worse security of the emergency call is caused in the related art.
- The embodiment of the present invention provides a call authentication method, which comprises:
- a Mobile Management Entity (MME) receiving an emergency call request message carrying an access network identity sent by a user terminal, and carrying the access network identity into a query request to send to a Home Subscriber Server (HSS);
- the MME receiving a query result carrying verification information and first authentication data returned by the HSS, wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information; the security key comprises a device key; the device key is determined by the HSS according to a locally stored corresponding relation between an access network identity and a device key;
- the MME receiving second authentication data sent by the user terminal, wherein, the second authentication data are obtained by the user terminal performing calculation with a locally stored security key and verification information after receiving the verification information sent by the MME; and
- the MME comparing the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determining that an authentication is passed, and allowing the user terminal to access a communication network.
- Alternatively, the method further comprises: after allowing the user terminal to access the communication network,
the MME receiving an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and
the MME sending the received emergency call message to the HSS to be parsed, and returning a response message to the user terminal according to a parse result. - Alternatively, the method further comprises: after the MME receives the emergency call request message and before the MME sends the query request to the HSS,
according to a corresponding relation between the access network identity of the user terminal and a number of emergency call requests, the MME searching for a number of times for the user terminal sending the emergency call request to the MME within a set duration; and
the MME judging whether a searched number of emergency call requests is greater than a set threshold value, if yes, rejecting to respond to the emergency call request of the user terminal; and if not, executing an operation of sending the query request to the HSS. - Alternatively, the step of the MME receiving the second authentication data sent by the user terminal comprises:
- the MME receiving the second authentication data obtained by the user terminal performing calculation on the received verification information with the locally stored security key when the user terminal receives the verification information sent by the MME.
- Alternatively, the step of the MME comparing the first authentication data and the second authentication data comprises:
- the MME judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
- The embodiment of the present invention further provides a call authentication method, which comprises:
- a Home Subscriber Server (HSS) receiving a query request sent by a Mobile Management Entity (MME), wherein, the query request contains an access network identity, and the access network identity is carried in an emergency call request message sent by a user terminal to the MME;
- according to a locally stored corresponding relation between an access network identity and a device key, the HSS determining a device key corresponding to the access network identity contained in the query request, and performing calculation with a security key containing the device key and randomly generated verification information to obtain first authentication data; and
- the HSS taking the randomly generated verification information and the obtained first authentication data as a query result to send to the MME, so that the MME compares the obtained first authentication data and received second authentication data sent by the user terminal, and when a comparison result is that the first authentication data and the second authentication data are identical, determining that an authentication is passed, and allowing the user terminal to access a communication network.
- Alternatively, the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal;
the locally stored corresponding relation between the access network identity and the device key comprises: - a corresponding relation between the IMEI of the user terminal and the device key locally stored by the HSS
- The embodiment of the present invention further provides a call authentication device, which comprises:
- a first receiving module, configured to: receive an emergency call request message carrying an access network identity sent by a user terminal, and carry the access network identity into a query request to send to a Home Subscriber Server (HSS);
- a second receiving module, configured to: receive a query result carrying verification information and first authentication data returned by the HSS, wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information; the security key comprises a device key; the device key is determined by the HSS according to a locally stored corresponding relation between an access network identity and a device key;
- a third receiving module, configured to: receive second authentication data sent by the user terminal, wherein, the second authentication data are obtained by the user terminal performing calculation on verification information with a locally stored security key after receiving the verification information sent by a Mobile Management Entity (MME); and
- a comparison module, configured to: compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network.
- Alternatively, the device further comprises:
- a fourth receiving module, configured to: after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and
- a message processing module, configured to: send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result.
- Alternatively, the emergency call request message carries the access network identity of the user terminal;
the device further comprises: a call-times determination module and a call judgment module, wherein: - the call-times determination module is configured to: before carrying the received access network identity into the query request to send to the HSS, according to a corresponding relation between the access network identity of the user terminal and a number of emergency call requests, search for a number of times for the user terminal sending an emergency call request within a set duration; and
- the call judgment module is configured to: judge whether a searched number of emergency call requests is greater than a set threshold value, if yes, reject to respond to the emergency call request of the user terminal; and if not, execute an operation of carrying the received access network identity into the query request to send to the HSS.
- Alternatively, the comparison module is configured to compare the first authentication data and the second authentication data in the following way:
- judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
- The embodiment of the present invention further provides a Home Subscriber Server (HSS), which comprises:
- a receiving module, configured to: receive a query request sent by a Mobile Management Entity (MME), wherein, the query request contains an access network identity, and the access network identity is carried in an emergency call request message sent by a user terminal to the MME;
- a first authentication data calculation module, configured to: according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain first authentication data; and
- a sending module, configured to: take the randomly generated verification information and the obtained first authentication data as a query result to send to the MME, so that the MME compares the obtained first authentication data and received second authentication data sent by the user terminal, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network.
- Alternatively, the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal;
the first authentication data calculation module is further configured to: store a corresponding relation between the IMEI of the user terminal and the device key. - The embodiment of the present invention further provides a call authentication system, which comprises: a Mobile Management Entity (MME), a user terminal and a Home Subscriber Server (HSS); wherein,
the MME is configured to: receive an emergency call request message sent by the user terminal, and send a query request containing an access network identity carried in the emergency call request message to the HSS; receive a query result carrying verification information and first authentication data returned by the HSS, and second authentication data sent by the user terminal; compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network; after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with a security key; and send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result;
the user terminal is configured to: send the emergency call request message carrying the access network identity to the MME; send the second authentication data to the MME; and after being allowed to access the communication network, send the emergency call message carrying the emergency call contents to the MME, wherein, the emergency call contents are obtained after being encrypted with the security key; and
the HSS is configured to: receive the query request carrying the access network identity sent by the MME, and according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain the first authentication data and send the first authentication data to the MME; and after allowing the user terminal to access the communication network, receive and parse the emergency call message carrying the emergency call contents sent by the MME. - Alternatively, the user terminal is further configured to: when the user terminal receives the verification information sent by the MME, perform calculation on the received verification information with the locally stored security key to obtain the second authentication data.
- In the embodiments of the present invention, the corresponding relation between the IMEI of the user terminal and the device key is locally stored in the user terminal and the HSS respectively, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
-
-
FIG. 1 is a flow chart of a user initiating an emergency call through the mobile communication network by using the mobile terminal. -
FIG. 2 is a flow chart of a call authentication method according to theembodiment 1 of the present invention. -
FIG. 3 is a schematic diagram of a structure of a call authentication device according to theembodiment 2 of the present invention. -
FIG. 4 is a schematic diagram of a structure of an HSS according to theembodiment 3 of the present invention. -
FIG. 5 is a structure diagram of a call authentication system according to theembodiment 4 of the present invention. - The embodiments of the present invention disclose a call authentication method, device and system, by locally storing the corresponding relation between the IMEI of the user terminal and the device key in the user terminal and the HSS respectively, when the user terminal sends the emergency call request message to the MME, the MME acquires the security key containing the device key, and the first authentication data obtained by performing calculation with the security key and the random verification information from the HSS, and receives the second authentication data obtained through calculation according to the locally stored security key and the received verification information sent by the user terminal, and compares the first authentication data and the second authentication data, when the comparison result is that the first authentication data and the second authentication data are identical, determines that the authentication is passed, and allows the user terminal to access the communication network, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
- It should be noted that in the scheme of the embodiment of the present invention, a symmetrical device key is set in the network side and the user terminal, which is used for the network side performing authentication on the user terminal. The device key is associated with the IMEI of the user terminal, the network side stores a corresponding relation between the IMEI of the user terminal and the device key, and the device key in the HSS, the network side can only acquire a calculation result obtained by performing calculation with the device key through a query and cannot directly acquire the device key; a legal user terminal stores its own device key in a security component, and it also can only acquire a calculation result obtained by performing calculation with the device key through a query and cannot directly acquire the device key, wherein, it is a one-to-one correspondence relation between the device key and the IMEI, and each device key corresponds to only one IMEI.
- The security key involved in all the embodiments of the present invention, no matter in the network side or the user terminal, is obtained by performing calculation with the stored device key, parameter information and access network identity information of the user terminal according to a set calculation method, both the network side and the user terminal have a function of encryption and decryption, which guarantees the security in a signaling transmission process and makes the utilized air interface resources be protected.
- All the embodiments of the present invention will be described in detail in combination with the description of accompanying drawings. It should be noted that the embodiments in the present invention and the characteristics in the embodiments can be optionally combined with each other in the condition of no conflict.
- As shown in
FIG. 2 , it is a flow chart of a call authentication method according to theembodiment 1 of the present invention, and the method includes the following steps. - In
step 101, an MME receives an emergency call request message carrying an access network identity sent by a user terminal, and carries the access network identity into a query request to send to an HSS. - Wherein, the access network identity is an IMEI of the user terminal.
- In the
step 101, when the user terminal is in limited calling or an SIM card/a Universal Subscriber Identity Module (USIM) card is not inserted, and an emergency call request is required to be initiated, the user terminal takes its own IMEI as the access network identity and carries the access network identity into the emergency call request message to send to the MME. - Alternatively, when receiving the emergency call request message sent by the user, the MME indicates the user terminal to report the access network identity, so as to identify the user terminal.
- When the access network identity reported by the user terminal and received by the MME is a GUIT or a P_TMSI, the user terminal is indicated to report an IMSI of the user terminal; and when the access network identity reported by the user terminal and received by the MME is the IMSI, the user terminal is indicated to report the IMEI of the user terminal.
- It should be noted that, when the user terminal is in a state that the SIM card is not inserted, there is no IMSI, only the IMEI can be provided to the MME.
- Alternatively, after the MME receives the emergency call request message, and before the MME sends the query request to the HSS, the method also includes:
- firstly, according to a corresponding relation between the access network identity of the user terminal and the number of emergency call requests, the MME searching for the number of times for the user terminal sending the emergency call request to the MME within a set duration;
- wherein, the MME itself has a counter used for counting the number of emergency calls initiated by the user terminal, every time the user terminal sends the emergency call request message, the MME will add one to the number of emergency calls of the user terminal, and record time and a corresponding relation between the access network identity of the user terminal and the number of emergency calls;
- secondly, the MME judging whether a searched number of call requests is greater than a set threshold value, if yes, rejecting to respond to the emergency call request of the user terminal; and if not, executing an operation of sending the query request to the HSS;
- wherein, the set threshold value is to limit the number of times for one user terminal sending the emergency call request to the MME within a unit time, and it is generally determined according to the actual demand, which is not limited here.
- In
step 102, the MME receives a query result carrying verification information and first authentication data returned by the HSS. - Wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information, wherein, the security key contains a device key, the device key is determined by the HSS according to a locally stored corresponding relation between the access network identity and the device key.
- In the
step 102, the MME contains the access network identity carried in the received emergency call request message into the query request to send to the HSS. - After the HSS receives the query request sent by the MME, the following operation steps are executed.
- In
step 1, according to the locally stored corresponding relation between the access network identity and the device key, a device key corresponding to the access network identity contained in the query request is determined. - In
step 2, a security key containing the device key and the randomly generated verification information are used for calculating to obtain the first authentication data. - It should be noted that, the way of calculation can be to use a set algorithm, and it also can be to calculate according to a protocol rule in the 3rd Generation Partnership Project (3GPP) protocol, which is not limited here.
- In
step 3, the randomly generated verification information and the obtained first authentication data are taken as a query result to be sent to the MME. - Wherein, the verification information can be verification information in a 3GPP format, such as RAND; the first authentication data are device-challenge; the query result is RAND||device-challenge, it also can be information in other forms, which is determined according to the actual requirement and not limited here.
- In
step 103, the MME receives second authentication data sent by the user terminal. - Wherein, the second authentication data are obtained by the user terminal performing calculation with the locally stored security key and the verification information after receiving the verification information sent by the MME.
- In the
step 103, the MME receives the query result returned by the HSS, the query result contains random verification information, and the MME sends the random verification information to the user terminal. - After the user terminal receives the verification information, the following operation steps are executed.
- In
step 1, a device key corresponding to the IMEI of the user terminal itself is determined. - In
step 2, it is to perform calculation on the received verification information with the security key containing the determined device key to obtain the second authentication data. - In
step 3, the obtained second authentication data are sent to the MME. - In
step 104, the MME compares the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determines that an authentication is passed, and allows the user terminal to access a communication network. - In the
step 104, the MME judges whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executes an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executes an operation of determining that the authentication is not passed and rejecting accessing the network. - In
step 105, after allowing the user terminal to access the communication network, the MME receives an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key. - In order to guarantee that the emergency call message sent by the user terminal is not tampered, when the user terminal sends the emergency call message to the MME, an encryption operation is performed on the carried emergency call contents, which guarantees the security of the transmitted message.
- In
step 106, the MME sends the received emergency call message to the HSS to be parsed, and returns a response message to the user terminal according to a parse result. - Since the HSS stores the device key, and the security key is determined by the device key, the MME is required to perform decryption operation on the received encrypted emergency call message through the HSS when receiving the encrypted emergency call message.
- In the scheme of the
embodiment 1 of the present invention, by locally storing the corresponding relation between the IMEI of the user terminal and the device key in the user terminal and the HSS respectively, when the user terminal sends the emergency call request message to the MME, the MME acquires the security key containing the device key from the HSS, and acquires the first authentication data obtained by performing calculation with the security key and the random verification information, and receives the second authentication data obtained through calculation according to the locally stored security key and the received verification information sent by the user terminal, and compares the first authentication data and the second authentication data, when the comparison result is that the first authentication data and the second authentication data are identical, determines that the authentication is passed, and allows the user terminal to access the communication network, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network. - As shown in
FIG. 3 , it is a schematic diagram of a structure of a call authentication device according to theembodiment 2, the device includes: afirst receiving module 11, asecond receiving module 12, athird receiving module 13 and acomparison module 14, wherein: - the
first receiving module 11 is configured to: receive an emergency call request message carrying an access network identity sent by a user terminal, and carry the access network identity into a query request to send to an HSS; - the
second receiving module 12 is configured to: receive a query result carrying verification information and first authentication data returned by the HSS, wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information, the security key contains a device key, the device key is determined by the HSS according to a locally stored corresponding relation between an access network identity and a device key; - the
third receiving module 13 is configured to: receive second authentication data sent by the user terminal, wherein, the second authentication data are obtained by the user terminal performing calculation on verification information with a locally stored security key after receiving the verification information sent by an MME; and - the
comparison module 14 is configured to: compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network. - Alternatively, the device also includes: a
fourth receiving module 15 and amessage processing module 16, wherein: - the
fourth receiving module 15 is configured to: after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and - the
message processing module 16 is configured to: send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result. - Wherein, the emergency call request message carries the access network identity of the user terminal.
- The device also includes: a call-
times determination module 17 and acall judgment module 18, wherein: - the call-
times determination module 17 is configured to: before carrying the access network identity into the query request to send to the HSS, according to a corresponding relation between the access network identity of the user terminal and the number of emergency call requests, search for the number of times for the user terminal sending an emergency call request within a set duration; and - the
call judgment module 18 is configured to: judge whether a searched number of emergency call requests is greater than a set threshold value, if yes, reject to respond to the emergency call request of the user terminal; and if not, execute an operation of carrying the access network identity into the query request to send to the HSS. - The
comparison module 14 is configured to compare the first authentication data and the second authentication data in the following way: judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network. - As shown in
FIG. 4 , it is a schematic diagram of a structure of an HSS according to theembodiment 3, the HSS includes: a receivingmodule 21, a first authenticationdata calculation module 22 and a sendingmodule 23, wherein: - the receiving
module 21 is configured to: receive a query request sent by an MME, wherein, the query request contains an access network identity, and the access network identity sent is carried in an emergency call request message sent by a user terminal to the MME; - the first authentication
data calculation module 22 is configured to: according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain first authentication data; and - the sending
module 23 is configured to: take the randomly generated verification information and the obtained first authentication data as a query result to send to the MME, so that the MME compares the obtained first authentication data and received second authentication data sent by the user terminal, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network. - Alternatively, the access network identity is an IMEI of the user terminal;
the first authenticationdata calculation module 22 is further configured to: store a corresponding relation between the IMEI of the user terminal and the device key. - As shown in
FIG. 5 , it is a structure diagram of a call authentication system according to theembodiment 4, the system includes: anMME 31, auser terminal 32 and anHSS 33, wherein: - the
MME 31 is configured to: receive an emergency call request message sent by theuser terminal 32, and send a query request containing an access network identity carried in the emergency call request message to theHSS 33; receive a query result carrying verification information and first authentication data returned by theHSS 33, and second authentication data sent by theuser terminal 32; compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow theuser terminal 32 to access a communication network; after allowing theuser terminal 32 to access the communication network, receive an emergency call message carrying emergency call contents sent by theuser terminal 32, wherein, the emergency call contents are obtained after being encrypted by theuser terminal 32 with a security key; and send the received emergency call message to theHSS 33 to be parsed, and return a response message to theuser terminal 32 according to a parse result; - the
user terminal 32 is configured to: send the emergency call request message carrying the access network identity to theMME 31; send the second authentication data to theMME 31; and after being allowed to access the communication network, send the emergency call message carrying the emergency call contents to theMME 31, wherein, the emergency call contents are obtained after being encrypted with the security key; and - the
HSS 33 is configured to: receive the query request carrying the access network identity sent by theMME 31, and according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain the first authentication data and send the first authentication data to theMME 31; and after allowing theuser terminal 32 to access the communication network, receive and parse the emergency call message carrying the emergency call contents sent by theMME 31. - Alternatively, the
user terminal 32 is further configured to: when theuser terminal 32 receives the verification information sent by theMME 31, perform calculation on the received verification information with the locally stored security key to obtain the second authentication data. - The ordinary person skilled in the art can understand that all or part of the steps in the above method can be completed by a program instructing related hardware, and the program can be stored in a computer readable memory medium, such as a read-only memory, disk or optical disk and so on. Alternatively, all or part of the steps of the above embodiments also can be implemented by using one or multiple integrated circuits. Correspondingly, each module/unit in the above embodiments can be implemented in a form of hardware, and also can be implemented in a form of software function module. The embodiments of the present invention are not limited to any combination of hardware and software in a specific form.
- Apparently, those skilled in the art can make various modifications and variations for the embodiments of the present invention without departing from the spirit and scope of the present invention. Therefore, if these modifications and variations of the embodiments of the present invention belong to the scope of the claims of the present invention and the equivalent techniques thereof, the present invention also intends to include these modifications and variations.
- In the embodiments of the present invention, the corresponding relation between the IMEI of the user terminal and the device key is locally stored in the user terminal and the HSS respectively, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
Claims (15)
- A call authentication method, comprising:a Mobile Management Entity (MME) receiving an emergency call request message carrying an access network identity sent by a user terminal, and carrying the access network identity into a query request to send to a Home Subscriber Server (HSS);the MME receiving a query result carrying verification information and first authentication data returned by the HSS, wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information; the security key comprises a device key; the device key is determined by the HSS according to a locally stored corresponding relation between an access network identity and a device key;the MME receiving second authentication data sent by the user terminal, wherein, the second authentication data are obtained by the user terminal performing calculation with a locally stored security key and verification information after receiving the verification information sent by the MME; andthe MME comparing the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determining that an authentication is passed, and allowing the user terminal to access a communication network.
- The method according to claim 1, further comprising: after allowing the user terminal to access the communication network,
the MME receiving an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and
the MME sending the received emergency call message to the HSS to be parsed, and returning a response message to the user terminal according to a parse result. - The method according to claim 1, further comprising: after the MME receives the emergency call request message and before the MME sends the query request to the HSS,
according to a corresponding relation between the access network identity of the user terminal and a number of emergency call requests, the MME searching for a number of times for the user terminal sending the emergency call request to the MME within a set duration; and
the MME judging whether a searched number of emergency call requests is greater than a set threshold value, if yes, rejecting to respond to the emergency call request of the user terminal; and if not, executing an operation of sending the query request to the HSS. - The method according to claim 1, wherein, the step of the MME receiving the second authentication data sent by the user terminal comprises:the MME receiving the second authentication data obtained by the user terminal performing calculation on the received verification information with the locally stored security key when the user terminal receives the verification information sent by the MME.
- The method according to any one of claims 1 to 4, wherein, the step of the MME comparing the first authentication data and the second authentication data comprises:the MME judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
- A call authentication method, comprising:a Home Subscriber Server (HSS) receiving a query request sent by a Mobile Management Entity (MME), wherein, the query request contains an access network identity, and the access network identity is carried in an emergency call request message sent by a user terminal to the MME;according to a locally stored corresponding relation between an access network identity and a device key, the HSS determining a device key corresponding to the access network identity contained in the query request, and performing calculation with a security key containing the device key and randomly generated verification information to obtain first authentication data; andthe HSS taking the randomly generated verification information and the obtained first authentication data as a query result to send to the MME, so that the MME compares the obtained first authentication data and received second authentication data sent by the user terminal, and when a comparison result is that the first authentication data and the second authentication data are identical, determining that an authentication is passed, and allowing the user terminal to access a communication network.
- The method according to claim 6, wherein, the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal;
the locally stored corresponding relation between the access network identity and the device key comprises:a corresponding relation between the IMEI of the user terminal and the device key locally stored by the HSS. - A call authentication device, comprising:a first receiving module, configured to: receive an emergency call request message carrying an access network identity sent by a user terminal, and carry the access network identity into a query request to send to a Home Subscriber Server (HSS);a second receiving module, configured to: receive a query result carrying verification information and first authentication data returned by the HSS, wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information; the security key comprises a device key; the device key is determined by the HSS according to a locally stored corresponding relation between an access network identity and a device key;a third receiving module, configured to: receive second authentication data sent by the user terminal, wherein, the second authentication data are obtained by the user terminal performing calculation on verification information with a locally stored security key after receiving the verification information sent by a Mobile Management Entity (MME); anda comparison module, configured to: compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network.
- The device according to claim 8, further comprising:a fourth receiving module, configured to: after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; anda message processing module, configured to: send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result.
- The device according to claim 8, wherein, the emergency call request message carries the access network identity of the user terminal;
the device further comprises: a call-times determination module and a call judgment module, wherein:the call-times determination module is configured to: before carrying the received access network identity in the query request to send to the HSS, according to a corresponding relation between the access network identity of the user terminal and a number of emergency call requests, search for a number of times for the user terminal sending an emergency call request within a set duration; andthe call judgment module is configured to: judge whether a searched number of emergency call requests is greater than a set threshold value, if yes, reject to respond to the emergency call request of the user terminal; and if not, execute an operation of carrying the received access network identity into the query request to send to the HSS. - The device according to claim 8, wherein, the comparison module is configured to compare the first authentication data and the second authentication data by means of:judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
- A Home Subscriber Server (HSS), comprising:a receiving module, configured to: receive a query request sent by a Mobile Management Entity (MME), wherein, the query request contains an access network identity, and the access network identity is carried in an emergency call request message sent by a user terminal to the MME;a first authentication data calculation module, configured to: according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain first authentication data; anda sending module, configured to: take the randomly generated verification information and the obtained first authentication data as a query result to send to the MME, so that the MME compares the obtained first authentication data and received second authentication data sent by the user terminal, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network.
- The HSS according to claim 12, wherein, the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal;
the first authentication data calculation module is further configured to: store a corresponding relation between the IMEI of the user terminal and the device key. - A call authentication system, comprising: a Mobile Management Entity (MME), a user terminal and a Home Subscriber Server (HSS); wherein,
the MME is configured to: receive an emergency call request message sent by the user terminal, and send a query request containing an access network identity carried in the emergency call request message to the HSS; receive a query result carrying verification information and first authentication data returned by the HSS, and second authentication data sent by the user terminal; compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network; after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with a security key; and send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result;
the user terminal is configured to: send the emergency call request message carrying the access network identity to the MME; send the second authentication data to the MME; and after being allowed to access the communication network, send the emergency call message carrying the emergency call contents to the MME, wherein, the emergency call contents are obtained after being encrypted with the security key; and
the HSS is configured to: receive the query request carrying the access network identity sent by the MME, and according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain the first authentication data and send the first authentication data to the MME; and after allowing the user terminal to access the communication network, receive and parse the emergency call message carrying the emergency call contents sent by the MME. - The system according to claim 14, wherein,
the user terminal is further configured to: when the user terminal receives the verification information sent by the MME, perform calculation on the received verification information with the locally stored security key to obtain the second authentication data.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210335631.XA CN103686651B (en) | 2012-09-12 | 2012-09-12 | A kind of authentication method based on urgent call, equipment and system |
PCT/CN2013/080490 WO2013185709A1 (en) | 2012-09-12 | 2013-07-31 | Call authentication method, device, and system |
Publications (3)
Publication Number | Publication Date |
---|---|
EP2874367A1 true EP2874367A1 (en) | 2015-05-20 |
EP2874367A4 EP2874367A4 (en) | 2015-10-21 |
EP2874367B1 EP2874367B1 (en) | 2018-08-29 |
Family
ID=49757589
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP13803875.7A Active EP2874367B1 (en) | 2012-09-12 | 2013-07-31 | Call authentication method, device, and system |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP2874367B1 (en) |
CN (1) | CN103686651B (en) |
WO (1) | WO2013185709A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10154134B1 (en) | 2016-04-05 | 2018-12-11 | State Farm Mutual Automobile Insurance Company | Systems and methods for authenticating a caller at a call center |
US11696250B2 (en) * | 2016-11-09 | 2023-07-04 | Intel Corporation | UE and devices for detach handling |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2526583A (en) * | 2014-05-28 | 2015-12-02 | Vodafone Ip Licensing Ltd | Access class barring for mobile terminated communication and active mobility |
CN107222933B (en) * | 2017-06-27 | 2020-11-17 | 努比亚技术有限公司 | Communication method, terminal and computer readable storage medium |
CN108419229B (en) * | 2018-01-23 | 2020-08-11 | 北京中兴高达通信技术有限公司 | Access method and device |
CN109348057A (en) * | 2018-10-25 | 2019-02-15 | 维沃移动通信有限公司 | A kind of method of calling and mobile terminal |
CN112004228B (en) * | 2019-05-27 | 2023-06-02 | 中国电信股份有限公司 | Real person authentication method and system |
CN113206886B (en) * | 2021-05-08 | 2023-02-10 | 深圳市信锐网科技术有限公司 | Method, device, equipment and medium for accessing equipment to Internet of things platform |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7764945B2 (en) * | 2006-03-08 | 2010-07-27 | Cisco Technology, Inc. | Method and apparatus for token distribution in session for future polling or subscription |
US9515850B2 (en) * | 2009-02-18 | 2016-12-06 | Telefonaktiebolaget Lm Ericsson (Publ) | Non-validated emergency calls for all-IP 3GPP IMS networks |
US8693642B2 (en) * | 2009-04-16 | 2014-04-08 | Alcatel Lucent | Emergency call handling in accordance with authentication procedure in communication network |
WO2011009496A1 (en) * | 2009-07-24 | 2011-01-27 | Telefonaktiebolaget Lm Ericsson (Publ) | Terminal identifiers in a communications network |
CN102025685B (en) * | 2009-09-21 | 2013-09-11 | 华为技术有限公司 | Authentication processing method and device |
CN102055744A (en) * | 2009-11-06 | 2011-05-11 | 中兴通讯股份有限公司 | Implementing system and method of IP (Internet Protocol) multimedia subsystem emergency call service |
CN101931955B (en) * | 2010-09-03 | 2015-01-28 | 中兴通讯股份有限公司 | Authentication method, device and system |
-
2012
- 2012-09-12 CN CN201210335631.XA patent/CN103686651B/en active Active
-
2013
- 2013-07-31 EP EP13803875.7A patent/EP2874367B1/en active Active
- 2013-07-31 WO PCT/CN2013/080490 patent/WO2013185709A1/en active Application Filing
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10154134B1 (en) | 2016-04-05 | 2018-12-11 | State Farm Mutual Automobile Insurance Company | Systems and methods for authenticating a caller at a call center |
US10158754B1 (en) | 2016-04-05 | 2018-12-18 | State Farm Mutual Automobile Insurance Company | Systems and methods for authenticating a caller at a call center |
US10594860B1 (en) | 2016-04-05 | 2020-03-17 | State Farm Mutual Automobile Insurance Company | Systems and methods for authenticating a caller at a call center |
US10721353B1 (en) | 2016-04-05 | 2020-07-21 | State Farm Mutual Automobile Insurance Company | Systems and methods for authenticating a caller at a call center |
US11140261B1 (en) | 2016-04-05 | 2021-10-05 | State Farm Mutual Automobile Insurance Company | Systems and methods for authenticating a caller at a call center |
US11425242B1 (en) | 2016-04-05 | 2022-08-23 | State Farm Mutual Automobile Insurance Company | Systems and methods for authenticating a caller at a call center |
US11696250B2 (en) * | 2016-11-09 | 2023-07-04 | Intel Corporation | UE and devices for detach handling |
Also Published As
Publication number | Publication date |
---|---|
WO2013185709A1 (en) | 2013-12-19 |
CN103686651A (en) | 2014-03-26 |
EP2874367A4 (en) | 2015-10-21 |
CN103686651B (en) | 2018-05-11 |
EP2874367B1 (en) | 2018-08-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2874367B1 (en) | Call authentication method, device, and system | |
US8706085B2 (en) | Method and apparatus for authenticating communication device | |
CN109716834B (en) | Temporary identifier in a wireless communication system | |
EP3485624B1 (en) | Operation related to user equipment using secret identifier | |
US10171993B2 (en) | Identity request control for user equipment | |
EP2755413B1 (en) | Managing undesired service requests in a network | |
CN109922474B (en) | Method for triggering network authentication and related equipment | |
US10681546B2 (en) | Processing method for sim card equipped terminal access to 3GPP network and apparatus | |
CN102318386A (en) | Service-based authentication to a network | |
EP3119130B1 (en) | Restriction control device and restriction control method | |
WO2016110093A1 (en) | D2d mode b discovery security method, terminal and system, and storage medium | |
US9860825B2 (en) | Mobile hardware identity in an environment with multiple radio access networks | |
US9538378B2 (en) | Controlling access to a long term evolution network via a non-long term evolution access network | |
US11070376B2 (en) | Systems and methods for user-based authentication | |
KR20180061315A (en) | Preventing attacks from false base stations | |
US20150026787A1 (en) | Authentication method, device and system for user equipment | |
CN110087338B (en) | Method and equipment for authenticating narrowband Internet of things | |
CN110830421B (en) | Data transmission method and device | |
CN108243416A (en) | User equipment authority identification method, mobile management entity and user equipment | |
CN114697945B (en) | Method and device for generating discovery response message and method for processing discovery message | |
US9215594B2 (en) | Subscriber data management | |
US8965343B1 (en) | Security key based authorization of transceivers in wireless communication devices | |
EP3488627B1 (en) | Proof-of-presence indicator | |
CN108076009B (en) | Resource sharing method, device and system | |
CN117692902B (en) | Intelligent home interaction method and system based on embedded home gateway |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20150212 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
RA4 | Supplementary search report drawn up and despatched (corrected) |
Effective date: 20150923 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04W 12/06 20090101ALI20150917BHEP Ipc: H04W 76/00 20090101ALI20150917BHEP Ipc: H04W 4/22 20090101ALI20150917BHEP Ipc: H04L 29/06 20060101AFI20150917BHEP |
|
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20171006 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04W 76/00 20180101ALI20180213BHEP Ipc: H04W 12/06 20090101ALI20180213BHEP Ipc: H04L 29/06 20060101AFI20180213BHEP |
|
INTG | Intention to grant announced |
Effective date: 20180309 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: REF Ref document number: 1036507 Country of ref document: AT Kind code of ref document: T Effective date: 20180915 |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602013042848 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: MP Effective date: 20180829 |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG4D |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20181130 Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20181129 Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20181229 Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20181129 |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 1036507 Country of ref document: AT Kind code of ref document: T Effective date: 20180829 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: AL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602013042848 Country of ref document: DE |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
26N | No opposition filed |
Effective date: 20190531 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 |
|
REG | Reference to a national code |
Ref country code: BE Ref legal event code: MM Effective date: 20190731 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20190731 Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20190731 Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20190731 Ref country code: BE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20190731 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20181229 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20190731 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CY Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 Ref country code: HU Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO Effective date: 20130731 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Ref document number: 602013042848 Country of ref document: DE Free format text: PREVIOUS MAIN CLASS: H04L0029060000 Ipc: H04L0065000000 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180829 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20230620 Year of fee payment: 11 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20230608 Year of fee payment: 11 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20230607 Year of fee payment: 11 |